<!DOCTYPE html>
<html>
    <head>
        <title>Subresource integrity check shouldn't be bypassed by
            changing integrity attribute</title>
        <script src="../../resources/testharness.js"></script>
        <script src="../../resources/testharnessreport.js"></script>

    </head>
    <body>
        <script>
        var t = async_test('Integrity check should not be bypassed ' +
            'by changing integrity attribute');
        var url = 'style-1-of-3.css?test=bypass-by-attribute-change';

        // 1. Create a stylesheet with an unmatching integrity attribute.
        var link1 = document.createElement('link');
        link1.setAttribute('rel', 'stylesheet');
        link1.setAttribute('href', url);
        link1.setAttribute('integrity',
            'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=');

        // This is expected to fail, but anyway proceed to step 2 and
        // check whether the second stylesheet fails.
        link1.addEventListener('load', step2);
        link1.addEventListener('error', step2);

        document.head.appendChild(link1);

        // 2. Set the integrity attribute to the correct hash after fetch starts.
        link1.setAttribute('integrity',
            'sha256-RvLeYLQyPa_ZQk95Rj0XQpfsoBHW9Vrqb3zwo5DScrI=');

        function step2() {
            // 3. Create a stylesheet with the same URL and the same
            // unmatching integrity attribute. This should fail.
            var link2 = document.createElement('link');
            link2.setAttribute('rel', 'stylesheet');
            link2.setAttribute('href', url);
            link2.setAttribute('integrity',
                'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=');
            link2.addEventListener('load',
                t.unreached_func('Integrity check is bypassed'));
            link2.addEventListener('error', t.step_func_done());
            document.head.appendChild(link2);
        }

        </script>
    </body>
</html>
